Not getting very far with this on the Linux Mint forums - it seems like
an IP address change most certainly should survive a reboot, and it
seems implausible that such a blatant bug would go unnoticed on a
standard set-up.
But Shorewall isn't a standard set-up (quite). A germ of an idea is forming.
I'm using rules in /etc/shorewall/nat to do 2-way natting between
Raspberry Pi local addresses and external addresses on the school
network, and I setADD_IP_ALIASES=Yes in shorewall.conf.
I suspect what's happening is that I'm getting into a situation where
enp2s0 has an IP address on one subnet and enps20:0-16 created by
Shorewall are on a different subnet, and that the confusion is causing a
new enp2s0 to be created on rebooting.
The solution would seem to be to turn off the start-on-boot option in
shorewall.conf, reboot, do everything needful with the IP configuration,
reboot to make sure it sticks, and only then allow Shorewall to start.
I won't be able to try it until Monday at the earliest, but it sounds
like there's a subtle mantrap here that could perhaps be highlighted in
the docs.
But why does it seem to take 25 seconds to create the NAT aliases? Is
this to be expected?
On 15/08/2023 22:02, Philip Le Riche wrote:
Thaks Matt -
On 15/08/2023 15:56, Matt Darfeuille wrote:
On 8/15/23 15:44, Philip Le Riche via Shorewall-users wrote:
We have a Shorewall firewall at the school where I volunteer,
protecting the school network from a Raspberry
snip...
by Shorewall for NAT rules. Meanwhile, a new enp2s0 has appeared
with an IP address I didn't recognise.
This is a wild guess, to me you have a static network at home and a
DHCP set up at school. :)
But that wouldn't be representative of the school environment, and I'm
not sure how the NAT addresses could be made dynamic. You only need to
be clever enough to avoid the DHCP pool to allocate a static address.
And I was fortunate that I could use the same 4th octet in both
environments and hence capture the Shorewall dependencies in my params
file.
ifconfig shows the base enp2s0 with no IP address, plus the 16 expected
With a new set up, I would familierize myself with the iptools PKG! ;^)
ifconfig has served me well since SysV. Hey ho. Maybe I have to move
with the times.
shorewall stop and shorewall clear before reapplying the config made
no improvement.
Most likely because it has nothing to do with SW!
Most likely.
Maybe I should be using the CUI commands, but I'll need to read a
man page or two first, and I'm not sure whether the GUI tool
maintains any of its own data. Anyway, a bit of insight from round
here would be appreciated.
To me , headless mode is the way to go (Webmin comes to mind).
For a server shut away in the basement that sounds like a good option.
Must check it out. Except that I'd have had to successfully change the
IP address before I could access Webmin (to change the IP address).
And for a firewall, it'd add significantly to the attack surface. A
quick search for "webmin cve" listed 81 vulnerabilities.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users